AEPD - PS/00136/2020

From GDPRhub
AEPD - PS/00136/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6(1)(a) GDPR
Article 6(1)(f) GDPR
Article 6(1) GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Decided:
Published: 10.03.2021
Fine: 8000 EUR
Parties: Filigrana Comunicación
National Case Number/Name: PS/00136/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: n/a

The Spanish Data Protection Authority (AEPD) fined Filigrana Comunicación with €8,000 for the infringement of Articles 6(1), 13 and 14 GDPR, as the company gathered and re-used data from the Andalusian Education Department without a legitimate basis, and they did not fulfill their information obligations.

English Summary[edit | edit source]

Facts[edit | edit source]

Filigrana Comunicación gathered public data from the Andalusian Education Department and re-posted them in their webpage. They did it without a legitimate basis, and they did not fulfill their information obligations, regarding both Article 14, about data obtained from a source different than the data subject (in this case, the Andalusian Education Department), and Article 13, regarding general information obligation.

Dispute[edit | edit source]

Can a company re-post public data in their webpage without a legitimate basis?

Holding[edit | edit source]

The fact that a public administration or body publish documents containing personal data does not mean that they are "open data". The fact that the data is accessible to anyone does not necessarily result in the lawfulness of processing without a basis from Article 6. Therefore, the AEPD considered that there has been an infringement of Article 6.1, entailing a fine of €2000.

Article 14 refers to the information that must be provided when the data have not been obtained directly from the data subject, as is the case. The fine for this infringement is €2000.

Article 13 specifies the information that must be provided to the data subject. In this case, the privacy policy does not provide the information about the data controller or about the rights to which the data subject is entitled. In addition, the company had a subscription form to their system, in which it is understood that consent is granted through the "acceptance" of the privacy policy. The privacy policy was not in line with the general information requirements. The fine for the violation of Article 13 is €4000.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.